[Bug]: Fable 5 flags benign greeting ("hi") due to security-related filenames in system-injected git context

Open 💬 0 comments Opened Jun 10, 2026 by VenkatKwest

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Description

I was using the claude-fable-5 model in Claude Code and sent a single greeting — hi — to start a conversation. The model immediately returned a safety refusal without any harmful content from my side.

After looking at the error more carefully, I believe the trigger was not my message but the workspace context Claude Code automatically injects. My repository contains security-research filenames such as SSRF_AUDIT_PROMPT.md, appid_xss_vrp_report.md, and ghsa_bypass_spec.ts. These appear in the git status that Claude Code injects into the system prompt, and Fable 5's cybersecurity topic filter seems to have classified those filenames as triggering content before I typed anything.

Exact Error Message

API Error: Fable 5 has safety measures that flag messages on most cybersecurity or
biology topics (https://www.anthropic.com/legal/aup). They may flag safe, normal
content as well. These measures let us bring you Mythos-level capability in other
areas, and we're working to refine them. Claude Code can't respond to this request
with Fable 5.

Try rephrasing the request or retrying with a different model.

Learn more: https://support.claude.com/en/articles/15363606

Request ID: req_011CbtijFH7b91dwwRzYSk75

Steps to Reproduce

  1. Have a workspace (git repo) with security-research filenames in the working tree, such as:
  • SSRF_AUDIT_PROMPT.md
  • appid_xss_vrp_report.md
  • i18n_security_context_bypass_report.md
  • packages/core/test/acceptance/ghsa_bypass_spec.ts
  • packages/core/test/acceptance/bypass_repro_spec.ts
  1. Open Claude Code in that workspace (VSCode extension)
  2. Set model to claude-fable-5 via /model command
  3. Send a single message: hi
  4. Observe the safety refusal

Expected Behavior

A normal greeting response. I only typed hi — there is no harmful intent, no policy-violating content, nothing ambiguous. I expected the model to respond with something like "Hi! How can I help you?"

Actual Behavior

Immediate safety refusal citing cybersecurity topic restrictions, even though my message was a single-word greeting.

What I Think is Happening

Claude Code injects the workspace's git status as part of the system context on every conversation start. My git status included untracked filenames containing terms like ssrf, xss, vrp, bypass, and ghsa — all legitimate security research files in an Angular security audit project.

Fable 5's classifier appears to scan the full context window, including this system-injected metadata, not just my message. Because of that:

  • I only typed hi
  • The classifier fired on filenames in the injected git status
  • I had no way to know this was happening or prevent it without switching models

This means any developer doing legitimate security research cannot use Fable 5 in Claude Code at all — even for completely unrelated tasks — because their filenames permanently arm the safety classifier for every conversation.

Environment

| Field | Value |
|---|---|
| Claude Code version | 2.1.170 (VSCode extension) |
| Model | claude-fable-5 (claude-fable-5[1m]) |
| Platform | Windows 11 Home Single Language 10.0.26200 |
| Interface | VSCode Extension |
| Shell | PowerShell |
| Date observed | 2026-06-10 |
| Request ID | req_011CbtijFH7b91dwwRzYSk75 |

Workaround

Switching to claude-sonnet-4-6 via /model default works fine. The same workspace, same greeting, no safety flag.

Suggested Improvements

  1. Safety classification should be based on user messages, not on workspace metadata (filenames, git status) that the tool injects automatically.
  2. If system context must be scanned, filenames in git status should be treated as inert metadata — not as content that can arm topic-based safety filters.
  3. At minimum, the error message should clarify that the flag was triggered by injected workspace context, not the user's message, so users understand why it happened and what to do.

What Should Happen?

-

Error Messages/Logs

Steps to Reproduce

-

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.170 (VSCode extension)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗